There has also been a lot of crap posted about safes and how to open them.

I’m writing this post to try and clear up some aspects of safes, both in terms of opening them an using them to improve your own security.

First things first, if you want your safe opened quickly and without damage, call a good safe engineer. If you are in the UK or Europe, I can put you in touch with someone.

Otherwise, read on.

Opening cheap modern safes

There are a lot of cheap modern safes, constructed of sheet steel (or even plastic/cement laminate!), often with digital combination locks or very insecure mechanical locks. These only provide an illusion of security.

How would I open a cheap digital combination lock safe?

Find the manual. The safe will have a default code, and could have a reset procedure that can be triggered from outside the safe. Try this first.

Call the manufacturer. Some of these safes have reset procedures that you can get from the manufacturer. You will need to prove ownership. Sometimes you need the serial number which will be inside the safe.

Try hitting it. A lot of these safes hold the boltwork back using a spring loaded solenoid. If you hit the safe in the right place with a mallet (or even your hand on smaller safes) whilst turning the handle, it bounces the solenoid back enough to allow the safe to open. This works on a surprisingly large number of safes.

Pick the override lock. Nearly all of these safes have a mechanical override lock. These are normally cheap wafer locks, which can be picked open easily by locksmiths and hobbyists.

Try and activate the code reset button. Many safes have a small button inside the door used to change the combination. I’ve managed to press this button from outside the safe by using a welding rod poked through a mounting hole on the rear of the safe.

Take the front panel off and manually activate the solenoid or motor. Some of the cheap safes have all of the electronics outside of the safe. If you remove the front panel, you will often find two wires going through the door. These connect to the solenoid or motor inside the safe. Apply the correct voltage (usually the same as the total voltage of the batteries) and the safe will unlock.

Cut the safe open. I’ve not seen one of these resist more than a few minutes with even a small angle grinder. The top or back is normally easiest.

Most of the time, you don’t really care if the safe survives or not, so go to town on it.

Opening bigger and better safes

If you want to try it yourself, you have the following options…

Non-destructively open the lock. There are a number of techniques that can be used to open mechanical combination locks – reading contact points, or brute forcing (trying every combination using a motor). This is a very skilled job. It is also unwise if you don’t know if the lock works or not – hours could be spent trying to open a lock that will never unlock. Matt Blaze has written a great guide on this (and other vulnerabilities) called “Safe Cracking For the Computer Scientist“. If the lock is mechanical, it can be picked.

Drill the safe. If non-destructive entry is not possible, safe engineers will drill the safe. This involves making a small penetration somewhere on the safe and then opening the safe through the hole. Again, this is a skilled job. You need to know exactly where to drill and then how to open the safe. Sometimes you will drill near to the combination lock and use a borescope to read the wheel pack. Sometimes you will drill to access the bolt or fence instead. Many safes have very hard steel called “hardplate” protecting the lock, and this requires a lot of pressure and special drill bits to get through. Most safes have some form of “relocker” – additional spring-loaded bolts that will trigger under attack and hold the boltwork shut. You really don’t want to trigger these as there is no way to unlock them from outside the safe. The small hole that is left can be filled with hardened steel and welded over for repair.

Cut the safe open. This still generally requires skill or knowledge if you don’t want to damage the contents. Angle grinders, punches, concrete breakers, and thermal lances are tools used here. This can be very time consuming and noisy.

Do you see a theme? You generally need to know what you are doing.

Opening a vault

Unless you can make a hole in the wall, floor, or ceiling, you should call a safe engineer.

Old safes vs. new

Most older safes tend to be fairly secure. I believe this is because of two things. Firstly, safes used to be made better, or at least, more solidly. Secondly, if an old safe has survived this long and not been opened, it’s either secure or too damn heavy to throw out.

Old safes have the advantage that most safe engineers won’t easily be able to determine how to open the lock or where to drill, just through a lack of knowledge and experience.

A lot of modern safes are cheap crap. Anything you can buy in B&Q can be cut open in under 10 minutes. But a good, expensive modern safe is a formidable opponent. Modern combination locks are very good – they have extensive “anti manipulation” features. Even low-cost lever locks are hard to pick. Hardplate is very hard and there are advanced composite materials that are difficult to drill or cut through.

What not to do

There is a lot of bad advice floating about.

Don’t cut the external hinges off the door. They aren’t part of the locking mechanism on even the cheapest safes, so you now have a broken safe that is still closed.

Don’t force the handle. Good safes have boltwork that won’t open no matter how much force you apply to the handle. The handle will shear off first or you will break part of the drive mechanism.

Don’t hit the dial or spindle of the combination lock. The combination lock and door has something called a relocker on it. If you trigger this by hitting it, additional spring-loaded bolts will fire and mean that you cannot open the safe even if you unlock the lock. You’ve potentially made an easy job much harder.

Don’t attempt to use thermite. I’m not sure why, but people suggest this. I suspect none of them have made or used thermite. I have. It’s hard to mix correctly, it isn’t cheap, it’s dangerous, and it will destroy the contents of the safe.

Don’t try a plasma cutter. Again, I suspect these people have never used a plasma cutter. They are exceptionally good at cutting through plate. They are no good when you cannot make the cut in one pass (there is nowhere for the slag to go, so it gets blasted back towards you). They will toast the contents. They are expensive and need a lot of compressed air.

Don’t try any other half-cut idea from someone who has no idea what they are doing. Dousing the safe in liquid nitrogen, filling with water and blowing it up etc. all sound like they are a lot more work and cost than just paying a safe engineer.

Don’t think that opening safes is some kind of mystical black art. There are hundreds of people who can open safes. The more expensive and secure the safe, the less there are that can open it. But there is no safe that cannot be opened.

Don’t think that the safe will have anything exciting in it. They very rarely do.

After reading all of that, you’ve decided you need a safe. What should you look for?

Avoid any digital combination safe that has a mechanical override lock. Instead of having one good mechanical lock, you now have a digital lock and a crap mechanical lock. The security of the safe is limited by the lower of the two.

Look for a good lever lock. At prices acceptable to most householders, a good lever lock will provide the best security.

Decide if you are protecting against fire and/or theft. A lot of “fire safes” have extremely poor security. Burglary is far more common than house fire. My safe protects against theft, and the small fire chest inside protects truly irreplaceable objects.

Avoid any safe that a single person can easily pick up. You don’t need something that weighs 750kg, but 50kg+ makes things a lot more awkward for burglars.

Make sure you can bolt the safe to the floor and/or wall. A 50kg safe attached to a concrete floor with 4 expanding bolts is going to be as hard to move as a 500kg safe.

Make sure it is big enough to hold your stuff. If it can’t hold the thing you need to protect, it has no purpose. A lot of smaller safes can’t take 15.6″ laptops.

Make sure it is accessible enough that you actually use it. If it is hidden away, you are unlikely to ever use it. If your stuff isn’t in the safe, it doesn’t matter how secure the safe is.

Recommended contacts

The following locksmiths and safe engineers are known to me, and whilst I have never had to use their services, I know they do good work.

Locks and building security is a funny business. The fundamental goal of a lock is to only let someone with a certain key open that lock. But they are mechanical devices, so there will always be weaknesses and ways to open them without the key – that could be as simple as “carding” the bolt (bypassing the lock altogether) or as complex as single pin picking the cylinder.

The concept of a truly unpickable lock is a fallacy. After all, if a key can open it, something that assimilates the key can also open it. That’s all that lock picking is – assimilating the key. All we can do is make the lock stronger or more pick resistant. This has been going on for years – 100 years ago simple warded lever locks were common, whereas now most house front doors will have a deadlocking nightlatch as well as one or more 5-lever mortise locks incorporating anti-pick features. The silly thing is there is nearly always a window that can be broken right next to the door.

Quite frequently it turns out that locks have design flaws, which make the lock far more vulnerable than it should be. Examples of this are padlock shims, comb picks and the now legendary Kryptonite ball point pen problem. What’s the best policy in these situations? Keep it secret so that not even the bad guys know about it? Or tell everyone so that they can make an informed decision about upgrading their locks? The locksmith community has always promoted the security through obscurity route. Whether this is for the best or not, I don’t know.

One such recent vulnerability has been termed “lock snapping”. This has been known about for years. Most UPVC doors use euro profile lock cylinders – these are oval shaped cylinders which contain just the lock itself, and they are inserted into the door inside of a locking mechanism along with a handle and deadbolt. This allows the user to chose what lock to fit to the door, and makes it easy to replace.

And there is the problem – the cylinder is removable from the lock, and hence vulnerable to attack. There are two basic methods. One is to grab the lock with a pair of mole grips (locking pliers) and bend it backwards and forwards until it snaps in the middle. The other is to drive a hardened steel screw into the keyway, and then you can pull the entire cylinder out, sometimes using mole grips, and sometimes using a slide hammer. This can take less than 30s with practice.

Manufacturers have responded in several ways:

Hardened steel escutcheons prevent the lock from being grabbed onto. Generally you can still pull the cylinder with a screw.

A laminated steel plate strengthens the cylinder (the CISA Astral range). These can still be snapped.

But as predicted, the locksmith community want to keep this under wraps. I can’t work out why – there are already a large number of burglaries that are carried out using this as the method of entry – the bad guys already know how to do this. Why shouldn’t people be made aware of a problem with their locks that render them practically ineffective?

Last week, a representative from Avocet locks turned up on one of the locksmith forums. He challenged anyone to come to their workshops and try to attack one of their new locks which are supposedly not vulnerable to snapping. As part of this, he posted several videos on youtube showing successful attacks against Cisa and other locks.

These videos seemed to annoy the locksmiths, despite the fact that there are loads of other videos available, and it’s pretty obvious how to do it anyway.

The best bit is, this forum is associated with a company that sells bump keys to anyone who wants them. I detect a certain level of hypocrisy here.

I'm a security researcher and reverse engineer. By visiting this site, you must realise that any or all files on this site may be jam packed full of the finest exploits, tricks and other gubbins. You might also get geo-located and port-scanned for fun and profit.
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.AcceptRead More
If I really want to track you, by tricking you into visiting this site, then it's going to be a lot more subtle than a browser cookie.